fix(auto): use action parser for repair gates
This commit is contained in:
@@ -34,6 +34,7 @@ from pydantic import BaseModel, Field
|
||||
from src.core.config import settings
|
||||
from src.core.constants import is_cicd_alertname, is_heartbeat_alertname
|
||||
from src.services.alert_rule_engine import get_incident_type, match_rule
|
||||
from src.services.action_parser import is_safe_kubectl_action
|
||||
from src.core.logging import get_logger
|
||||
from src.core.metrics import record_alert_chain_success
|
||||
|
||||
@@ -1059,15 +1060,13 @@ async def receive_alert(
|
||||
# 設計:confidence ≥ 0.85 + 非 CRITICAL + 非破壞性 + 有 kubectl 指令 → 直接執行
|
||||
# 安全防線:CRITICAL / destructive patterns / NO_ACTION/INVESTIGATE/OBSERVE / 空 kubectl → 降級 PENDING
|
||||
if analysis_result:
|
||||
from src.services.auto_approve import _DESTRUCTIVE_PATTERNS as _cs1_destr_patterns
|
||||
|
||||
_cs1_kubectl = analysis_result.kubectl_command.strip() if analysis_result.kubectl_command else ""
|
||||
_cs1_can_auto = (
|
||||
bool(_cs1_kubectl)
|
||||
and analysis_result.confidence >= 0.85
|
||||
and risk_level != RiskLevel.CRITICAL
|
||||
and _sa_val not in _non_destructive_actions
|
||||
and not any(p in _cs1_kubectl.lower() for p in _cs1_destr_patterns)
|
||||
and is_safe_kubectl_action(_cs1_kubectl)
|
||||
)
|
||||
if _cs1_can_auto:
|
||||
try:
|
||||
@@ -1396,15 +1395,13 @@ async def _process_new_alert_background(
|
||||
# 設計:is_rule_based=True 確定性高,滿足條件直接執行,不等人工審核
|
||||
# 安全防線:CRITICAL / destructive patterns / NO_ACTION / 空 kubectl → 全部降級 PENDING
|
||||
try:
|
||||
from src.services.auto_approve import _DESTRUCTIVE_PATTERNS
|
||||
from src.models.approval import ApprovalRequest, ApprovalStatus
|
||||
from src.services.approval_execution import ApprovalExecutionService
|
||||
|
||||
_destructive_set = set(p.lower() for p in _DESTRUCTIVE_PATTERNS)
|
||||
_can_auto = (
|
||||
bool(rule_kubectl)
|
||||
and rule_risk != RiskLevel.CRITICAL
|
||||
and not any(p in rule_kubectl.lower() for p in _destructive_set)
|
||||
and is_safe_kubectl_action(rule_kubectl)
|
||||
and "NO_ACTION" not in rule_action
|
||||
)
|
||||
if _can_auto:
|
||||
@@ -1576,14 +1573,13 @@ async def _process_new_alert_background(
|
||||
logger.warning("shadow_auto_approve_failed", error=str(_shadow_err_cs3))
|
||||
|
||||
# 2026-04-27 Claude Sonnet 4.6: CS3 LLM 高信心自動執行(修法3擴展)
|
||||
from src.services.auto_approve import _DESTRUCTIVE_PATTERNS as _cs3_destr_patterns # noqa: PLC0415
|
||||
_cs3_kubectl = (analysis_result.kubectl_command or "").strip()
|
||||
_cs3_can_auto = (
|
||||
bool(_cs3_kubectl)
|
||||
and analysis_result.confidence >= 0.85
|
||||
and risk_level != RiskLevel.CRITICAL
|
||||
and "NO_ACTION" not in (analysis_result.action_title or "")
|
||||
and not any(p in _cs3_kubectl.lower() for p in _cs3_destr_patterns)
|
||||
and is_safe_kubectl_action(_cs3_kubectl)
|
||||
)
|
||||
if _cs3_can_auto:
|
||||
try:
|
||||
|
||||
Reference in New Issue
Block a user